Service Routes

Service Routes

The firewall uses the management (MGT) interface
by default to access external services, such as DNS servers, external
authentication servers, Palo Alto Networks services such as software,
URL updates, licenses and AutoFocus. An alternative to using the
MGT interface is to configure a data port (a regular interface)
to access these services. The path from the interface to the service
on a server is known as a service route. The service
packets exit the firewall on the port assigned for the external
service and the server sends its response to the configured source
interface and source IP address.

You can configure service
routes globally for the firewall (shown in the following task) or Customize
Service Routes for a Virtual System on a firewall enabled
for multiple virtual systems so that you have the flexibility to
use interfaces associated with a virtual system. Any virtual system
that does not have a service route configured for a particular service
inherits the interface and IP address that are set globally for
that service.

The following procedure enables you to change
the interface the firewall uses to send requests to external services.

Customize service routes.

Select DeviceSetupServicesGlobal (omit
Global on a firewall without multiple virtual system capability),
and in the Services Features section, click Service Route
Configuration.

Select Customize and
do one of the following to create a service route:

For a predefined service:

Select IPv4 or IPv6 and
click the link for the service for which you want customize the
service route.

To easily use the same source address for
multiple services, select the checkbox for the services, click Set
Selected Routes, and proceed to the next step.

To limit the drop-down list for Source Address, select a Source
Interface; then select a Source Address (from
that interface) as the service route. Selecting Any Source Interface
makes all IP addresses on all interfaces available in the Source
Address drop-down from which you select an address. Selecting Use
default causes the firewall to use the management interface
for the service route, unless the packet destination IP address
matches the configured Destination IP address, in which case the
source IP address is set to the Source Address configured
for the Destination. Selecting MGT causes
the firewall to use the MGT interface for the service route, regardless
of any destination service route.

Click OK to save the setting.

Repeat this step if you want to specify both an IPv4 and
IPv6 address for a service.

For a destination service route:

Select Destination and Add a Destination IP
address. In this case, if a packet arrives with a destination IP
address that matches this configured Destination address,
then the source IP address of the packet will be set to the Source
Address configured in the next step.

To limit the drop-down list for Source Address, select a Source
Interface; then select a Source Address (from
that interface) as the service route. Selecting Any Source Interface
makes all IP addresses on all interfaces available in the Source
Address drop-down from which you select an address. Selecting MGT causes
the firewall to use the MGT interface for the service route.